/// <summary>
/// This methos validates the Simple Web Token.
/// </summary>
/// <param name="token">A simple web token.</param>
/// <returns>A Claims Collection which contains all the claims from the token.</returns>
public ClaimsIdentityCollection ValidateToken(SecurityToken token, string key)
{
SimpleWebToken realToken = token as SimpleWebToken;
if (realToken == null)
{
throw new InvalidTokenReceivedException("The received token is of incorrect token type.Expected SimpleWebToken");
}
if (realToken.AudienceUri != OAuthConfiguration.Configuration.ServiceSettings.Realm)
{
throw new InvalidTokenReceivedException("The Audience Uri of the incoming token is not expected. Expected AudienceUri is " + OAuthConfiguration.Configuration.ServiceSettings.Realm);
}
if (StringComparer.OrdinalIgnoreCase.Compare(realToken.Issuer, OAuthConfiguration.Configuration.StsSettings.IssuerUri.ToString()) != 0)
{
throw new InvalidTokenReceivedException("The Issuer of the token is not trusted. Trusted issuer is " + OAuthConfiguration.Configuration.StsSettings.IssuerUri);
}
if (!realToken.SignVerify(Convert.FromBase64String(key)))
{
throw new InvalidTokenReceivedException("Signature verification of the incoming token failed.");
}
if (DateTime.Compare(realToken.ValidTo, DateTime.UtcNow) <= 0)
{
throw new ExpiredTokenReceivedException("The incoming token has expired. Get a new access token from the Authorization Server.");
}
ClaimsIdentityCollection identities = new ClaimsIdentityCollection();
ClaimsIdentity identity = new ClaimsIdentity();
foreach (var claim in realToken.Claims)
{
identity.Claims.Add(claim);
}
identities.Add(identity);
return(identities);
}
// POST api/issue
public HttpResponseMessage Post(TokenRequest rst)
{
Uri scope = rst.Scope;
if (scope == null)
{
return Request.CreateResponse<TokenResponse>(HttpStatusCode.BadRequest, new TokenResponse() { Error = OAuthError.INVALID_REQUEST });
}
string key = OAuthConfiguration.Configuration.StsSettings.SymmetricKey;
TimeSpan lifeTime = new TimeSpan(0, 0, OAuthConfiguration.Configuration.StsSettings.TokenLifeTimeInSec);
var claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.Name, this.User.Identity.Name));
claims.Add(new Claim(ClaimTypes.Role, "AssetsServiceUser"));
claims.Add(new Claim(ClaimTypes.Role, "Developer"));
claims.Add(new Claim(ClaimTypes.Role, "Administrator"));
SimpleWebToken token = new SimpleWebToken(scope, OAuthConfiguration.Configuration.StsSettings.IssuerUri.ToString(), DateTime.UtcNow + lifeTime, claims, key);
var tokenResponse = new TokenResponse() { AccessToken = token.ToString(), TokenType = "bearer", ExpiresIn = 600 };
return Request.CreateResponse<TokenResponse>(HttpStatusCode.OK, tokenResponse);
}
/// <summary>
/// Reads a serialized token and converts it into a <see cref="SecurityToken"/>.
/// </summary>
/// <param name="rawToken">The token in serialized form.</param>
/// <returns>The parsed form of the token.</returns>
public SecurityToken ReadToken(string rawToken)
{
char parameterSeparator = '&';
Uri audienceUri = null;
string issuer = null;
string signature = null;
string unsignedString = null;
string expires = null;
if (string.IsNullOrEmpty(rawToken))
{
throw new ArgumentNullException("rawToken");
}
//
// Find the last parameter. The signature must be last per SWT specification.
//
int lastSeparator = rawToken.LastIndexOf(parameterSeparator);
// Check whether the last parameter is an hmac.
//
if (lastSeparator > 0)
{
string lastParamStart = parameterSeparator + SwtConst.Digest256Label + "=";
string lastParam = rawToken.Substring(lastSeparator);
signature = lastParam.Replace(lastParamStart, "");
// Strip the trailing hmac to obtain the original unsigned string for later hmac verification.
// e.g. name1=value1&name2=value2&HMACSHA256=XXX123 -> name1=value1&name2=value2
//
if (signature != null && lastParam.StartsWith(lastParamStart, StringComparison.Ordinal))
{
unsignedString = rawToken.Substring(0, lastSeparator);
}
else
{
throw new InvalidTokenReceivedException("Then incoming token does not have a signature");
}
}
else
{
throw new InvalidTokenReceivedException("The Simple Web Token must have a signature at the end. The incoming token did not have a signature at the end of the token.");
}
// Signature is a mandatory parameter, and it must be the last one.
// If there's no trailing hmac, Return error.
//
if (unsignedString == null)
{
throw new InvalidTokenReceivedException("The Simple Web Token must have a signature at the end. The incoming token did not have a signature at the end of the token.");
}
// Create a collection of SWT claims
//
NameValueCollection rawClaims = ParseToken(unsignedString);
audienceUri = new Uri(rawClaims[SwtConst.AudienceLabel]);
if (audienceUri != null)
{
rawClaims.Remove(SwtConst.AudienceLabel);
}
else
{
throw new InvalidTokenReceivedException("Then incoming token does not have an AudienceUri.");
}
expires = rawClaims[SwtConst.ExpiresOnLabel];
if (expires != null)
{
rawClaims.Remove(SwtConst.ExpiresOnLabel);
}
else
{
throw new InvalidTokenReceivedException("Then incoming token does not have an expiry time.");
}
issuer = rawClaims[SwtConst.IssuerLabel];
if (issuer != null)
{
rawClaims.Remove(SwtConst.IssuerLabel);
}
else
{
throw new InvalidTokenReceivedException("Then incoming token does not have an Issuer");
}
List<Claim> claims = DecodeClaims(issuer, rawClaims);
SimpleWebToken swt = new SimpleWebToken(audienceUri, issuer, DecodeExpiry(expires), claims, signature, unsignedString);
return swt;
}
/// <summary>
/// Reads a serialized token and converts it into a <see cref="SecurityToken"/>.
/// </summary>
/// <param name="rawToken">The token in serialized form.</param>
/// <returns>The parsed form of the token.</returns>
public SecurityToken ReadToken(string rawToken)
{
char parameterSeparator = '&';
Uri audienceUri = null;
string issuer = null;
string signature = null;
string unsignedString = null;
string expires = null;
if (string.IsNullOrEmpty(rawToken))
{
throw new ArgumentNullException("rawToken");
}
//
// Find the last parameter. The signature must be last per SWT specification.
//
int lastSeparator = rawToken.LastIndexOf(parameterSeparator);
// Check whether the last parameter is an hmac.
//
if (lastSeparator > 0)
{
string lastParamStart = parameterSeparator + SwtConst.Digest256Label + "=";
string lastParam = rawToken.Substring(lastSeparator);
signature = lastParam.Replace(lastParamStart, "");
// Strip the trailing hmac to obtain the original unsigned string for later hmac verification.
// e.g. name1=value1&name2=value2&HMACSHA256=XXX123 -> name1=value1&name2=value2
//
if (signature != null && lastParam.StartsWith(lastParamStart, StringComparison.Ordinal))
{
unsignedString = rawToken.Substring(0, lastSeparator);
}
else
{
throw new InvalidTokenReceivedException("Then incoming token does not have a signature");
}
}
else
{
throw new InvalidTokenReceivedException("The Simple Web Token must have a signature at the end. The incoming token did not have a signature at the end of the token.");
}
// Signature is a mandatory parameter, and it must be the last one.
// If there's no trailing hmac, Return error.
//
if (unsignedString == null)
{
throw new InvalidTokenReceivedException("The Simple Web Token must have a signature at the end. The incoming token did not have a signature at the end of the token.");
}
// Create a collection of SWT claims
//
NameValueCollection rawClaims = ParseToken(unsignedString);
audienceUri = new Uri(rawClaims[SwtConst.AudienceLabel]);
if (audienceUri != null)
{
rawClaims.Remove(SwtConst.AudienceLabel);
}
else
{
throw new InvalidTokenReceivedException("Then incoming token does not have an AudienceUri.");
}
expires = rawClaims[SwtConst.ExpiresOnLabel];
if (expires != null)
{
rawClaims.Remove(SwtConst.ExpiresOnLabel);
}
else
{
throw new InvalidTokenReceivedException("Then incoming token does not have an expiry time.");
}
issuer = rawClaims[SwtConst.IssuerLabel];
if (issuer != null)
{
rawClaims.Remove(SwtConst.IssuerLabel);
}
else
{
throw new InvalidTokenReceivedException("Then incoming token does not have an Issuer");
}
List <Claim> claims = DecodeClaims(issuer, rawClaims);
SimpleWebToken swt = new SimpleWebToken(audienceUri, issuer, DecodeExpiry(expires), claims, signature, unsignedString);
return(swt);
}
